CISSP Study-Tech Skills Gap For An InfoSec Noob

Hello,

My post is a two part question involving CISSP study material as well as a skills gap in those new to InfoSec that acquire the CISSP. I’ve read quite a few posts indicating the excess amount of ‘paper’ CISSP(s) with no ‘real world’ experience. I fully intend on becoming one of those individuals. I’m very interested in InfoSec and I honestly believe this is the area of IT that I want to make a career out of.

A brief bio about me. I’m in my last semester of my B.A. at Thomas Edison State College (finishing up in 2 weeks!) of a non-technical degree and intend on continuing my education at WGU in pursuit of their M.S. Information Security and Assurance program in January. A stipulation of admission to the program per WGU:

Online IT Degree | MS in Information Security and Assurance

-Have earned a bachelor’s degree in IT security or IT networking that covers at least two CISSP CBK domains. (You can find the domains listed here.)

-Hold a CISSP, CCIE, CCNP, CCNA, or GCWN certification that was earned within the last five years.

I do not hold a technical undergraduate degree, my certifications consist of A+, Network+ and Security+, and I have no professional experience in information security (currently working on a business solutions help desk for an ISP). That leaves me with earning one of the technical certifications as described above, of which I’ve chosen the CISSP. I’ll have 90 days to study and sit for the exam and expect to put in around 250 hours of study time between Oct to Jan 2016 (the time between finishing my Bachelors and starting my Masters). I’ve read numerous postings indicating the CISSP is geared toward the managerial type with the SSCP and CASP being more technical certifications. I have no desire to be a manager of anything and really just want to become as technical as I can be to increase job prospects. I’m also not so naive to think that I could fit the requirements of senior positions based on solely passing the CISSP. I’d be looking for entry to mid-level InfoSec opportunities to gain experience.

If I’m able to pull this off and get the CISSP in 90 days, I truly want to pursue another InfoSec certification of a more technical nature to solidify my understanding of technical concepts and bridge any tech gaps I might have from the CISSP. My question is, what would be a good technical certification that would showcase skills and ability as well as strengthen CISSP tech concepts? I’ve thought of circling back to the SSCP..or looking toward the CASP..I’ve even thought about the GIAC GSEC thought it seems sort of far-fetched with the cost involved. I could be completely wrong and might be overthinking things? Any advice you could provide in terms of certifications that would complement the CISSP would be greatly appreciated.

On to question #2. I’ve put together resources to study for the CISSP. Updated materials for the 2015 blueprint seem hard to come by. Never the less I’ve chosen:

-CISSP Practice Exams, Third Edition
http://www.amazon.com/CISSP-Practice-Exams-Third-Harris/dp/0071845429/ref=sr_1_5?s=books&ie=UTF8&qid=1442177606&sr=1-5&keywords=cISSP

CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide 7th Edition (This is an updated book for the 2015 changes and features Darril Gibson as a co-author. I had good success with his Security+ material and can only image that will be great as well)
http://www.amazon.com/Certified-Information-Security-Professional-Official/dp/1119042712/ref=sr_1_1?s=books&ie=UTF8&qid=1442177606&sr=1-1&keywords=cISSP

CISSP Study Guide, 3rd Edition (Eric Conrad)-Released Nov 2015
http://www.amazon.com/CISSP-Study-Guide-Third-Conrad/dp/0128024372/ref=sr_1_8?s=books&ie=UTF8&qid=1442177606&sr=1-8&keywords=cISSP

And lastly the CBT nuggets video course for the CISSP and some sort of practice exam (Boson, Transcender, or (ISC)2’s test bank. In terms of video courses, books, and practice tests have I forgotten anything? Anything on my list that could be replaced with more relevant materials? I appreciate all advice in advance.

-Travis

UPDATE
Decided to forgo the CISSP per advice given on this thread and otherwise and instead earn the CCNA at this time. Once again thanks for all the input.

-Travis

Find more posts tagged with

Comments

naclh2onaz

Passing the test alone will not make you a CISSP, you will need 5 years experience as well. Not sure if WGU will just accept you passing the test, which will make you an Associate of ISC2

bubble2005

orlandofl wrote: »

Hello,

My post is a two part question involving CISSP study material as well as a skills gap in those new to InfoSec that acquire the CISSP. I’ve read quite a few posts indicating the excess amount of ‘paper’ CISSP(s) with no ‘real world’ experience. I fully intend on becoming one of those individuals. I’m very interested in InfoSec and I honestly believe this is the area of IT that I want to make a career out of.

A brief bio about me. I’m in my last semester of my B.A. at Thomas Edison State College (finishing up in 2 weeks!) of a non-technical degree and intend on continuing my education at WGU in pursuit of their M.S. Information Security and Assurance program in January. A stipulation of admission to the program per WGU:

Online IT Degree | MS in Information Security and Assurance

-Have earned a bachelor’s degree in IT security or IT networking that covers at least two CISSP CBK domains. (You can find the domains listed here.)

-Hold a CISSP, CCIE, CCNP, CCNA, or GCWN certification that was earned within the last five years.

I do not hold a technical undergraduate degree, my certifications consist of A+, Network+ and Security+, and I have no professional experience in information security (currently working on a business solutions help desk for an ISP). That leaves me with earning one of the technical certifications as described above, of which I’ve chosen the CISSP. I’ll have 90 days to study and sit for the exam and expect to put in around 250 hours of study time between Oct to Jan 2016 (the time between finishing my Bachelors and starting my Masters). I’ve read numerous postings indicating the CISSP is geared toward the managerial type with the SSCP and CASP being more technical certifications. I have no desire to be a manager of anything and really just want to become as technical as I can be to increase job prospects. I’m also not so naive to think that I could fit the requirements of senior positions based on solely passing the CISSP. I’d be looking for entry to mid-level InfoSec opportunities to gain experience.

If I’m able to pull this off and get the CISSP in 90 days, I truly want to pursue another InfoSec certification of a more technical nature to solidify my understanding of technical concepts and bridge any tech gaps I might have from the CISSP. My question is, what would be a good technical certification that would showcase skills and ability as well as strengthen CISSP tech concepts? I’ve thought of circling back to the SSCP..or looking toward the CASP..I’ve even thought about the GIAC GSEC thought it seems sort of far-fetched with the cost involved. I could be completely wrong and might be overthinking things? Any advice you could provide in terms of certifications that would complement the CISSP would be greatly appreciated.

On to question #2. I’ve put together resources to study for the CISSP. Updated materials for the 2015 blueprint seem hard to come by. Never the less I’ve chosen:

-CISSP Practice Exams, Third Edition
CISSP Practice Exams, Third Edition: 9780071845427: Computer Science Books @ Amazon.com

CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide 7th Edition (This is an updated book for the 2015 changes and features Darril Gibson as a co-author. I had good success with his Security+ material and can only image that will be great as well)
http://www.amazon.com/Certified-Information-Security-Professional-Official/dp/1119042712/ref=sr_1_1?s=books&ie=UTF8&qid=1442177606&sr=1-1&keywords=cISSP

CISSP Study Guide, 3rd Edition (Eric Conrad)-Released Nov 2015
Amazon.com: CISSP Study Guide, Third Edition (9780128024379): Eric Conrad, Seth Misenar, Joshua Feldman: Books

And lastly the CBT nuggets video course for the CISSP and some sort of practice exam (Boson, Transcender, or (ISC)2’s test bank. In terms of video courses, books, and practice tests have I forgotten anything? Anything on my list that could be replaced with more relevant materials? I appreciate all advice in advance.

-Travis

1. "That leaves me with earning one of the technical certifications as described above, of which I’ve chosen the CISSP"

2. "I’ve read numerous postings indicating the CISSP is geared toward the managerial type with the SSCP andCASP being more technical certifications. I have no desire to be a manager of anything and really just want to become as technical as I can be to increase job prospects."

Why have you chosen the CISSP to steer you into the technical arena though? From the requirements you can choose either CISSP, CCIE, CCNP, CCNA, or GCWN. Really and truly CCNA would probably be more advantageous to you given your stated career path. But first, what are some of the job titles or functions you're interested in? That will help a lot in clarifying any issues for job prospects.

It isn't impossible to pass the exam without any experience but I will tell you that it will be extremely challenging. With the amount of time and effort you're considering, you should be ok. When did you get your other three certs and how have you been using them at all? You want to ensure that your certs line up with your XP because that can also be red flags to an employer, even if you are a studious and proactive individual. Are you considering working to the same place you are now? Have you looked for new employers since you already have your other certs?

From my understanding, it is the technical route that you want to be in and also non-mgmt. CISSP is very high-level. Technically speaking, the SSCP would be your best bet for your goal of being technically oriented (that should have also been listed) but even that requires a year xp.

In the end, it's your choice on what you want to do but what you are planning on doing and what your motives are may be conflicting slightly, imho

The resources that you listed are also good for preparation. Just don't overload yourself thinking that more books will automatically cause you to pass the exam. Focus on the list you have there and learn the material well. Also keep in mind the total of pages and questions in each book you get. What i mean by this is, if you were to purchase Darril gibson new book and shon harris' AIO 6 (I'm sure someone will suggest that eventually) book, that's almost 3000 pages to read. Are you up for that? Then if you have multiple testing platforms that can run you into the same amount as well. Personally I adopt tight studying (one video, one book, one exam platform and hope for the best).

orlandofl

Passing the test alone will not make you a CISSP, you will need 5 years experience as well. Not sure if WGU will just accept you passing the test, which will make you an Associate of ISC2

Thank you for your reply. WGU did indicate they would except the ISC2 associate in terms of admission.

-Travis

orlandofl

Why have you chosen the CISSP to steer you into the technical arena though? From the requirements you can choose either CISSP,CCIE, CCNP, CCNA, or GCWN. Really and truly CCNA would probably be more advantageous to you given your stated career path. But first, what are some of the job titles or functions you're interested in? That will help a lot in clarifying any issues for job prospects.

I had looked towards the CCNA for a long time. I do very much enjoy networking and have experience as a telecom NOC technician. While I do enjoy networking and would be happy in a NOC type environment I really want to get into InfoSec. InfoSec seems incredibly hard to break into. Security+ and SSCP doesn't really seem to be in demand and I thought at a minimum the CISSP could get my foot in the door and allow me to gain experience. There are tons of InfoSec jobs here in the Orlando, FL area. Companies like Symantec, Northrop Grumman, and Lockheed Martin are in the area and always hiring. In terms of jobs I had been interested in titles such as security analyst, malware analyst, and network security technician.

When did you get your other three certs and how have you been using them at all?

I did A+, Network+ and Security+ back to back during my layoff from my NOC job at Ericsson which was from Feb 2015-April 2015. Using them?..some..not so much the Security+. I'm in a tier II business help desk role for an ISP so i get a little networking and hardware troubleshooting in on a day to day (phone based support). I'm going to be completely honest in that I really just want to get as technical as possible and get myself off the help desk and into a role more in line with my financial and professional goals.

The resources that you listed are also good for preparation. Just don't overload yourself thinking that more books will automatically cause you to pass the exam. Focus on the list you have there and learn the material well

This makes good sense and is what I've done historically to prepare for exams. 1 book, 1 video series, and 1 vendor of exams seems to be exhausting enough. Thanks for the reality check.

Would it be easier to break into InfoSec from a CCNA type networking gig? I'd agree the Master's degree is overkill for what I want to do..but the majority of jobs are asking for a Bachelor's in IT 'or similar field' and Criminal Justice couldn't be any further from IT. I guess i figured the Master's program will serve to clear up any issues of not having an undergraduate degree in a technical discipline...plus i just flat out want to earn a graduate degree so i can be content and 'done' with academia.

stryder144

Why did you choose a bachelor degree in Criminal Justice and why do you work in IT? Why do you want to go to WGU for their MSISA degree? Have you considered leveraging the B.A. in CJ by pursuing a Digital Forensics degree, such as the one from University of Maryland University College (UMUC)?

Honestly, you might find that getting the CCNA first will help you out better long term. I say this because landing an InfoSec job without a deep(ish) understanding of networks, computer systems, virtualization, etc. will probably put you behind your peers. Getting the CCNA will lay a stronger foundation than the Network+ certification and, possibly, help you land a better paying gig down the line when paired with the CISSP. Just a thought.

636-555-3226

A paper CISSP is all well and good, but then you need to find someone to hire you based on that paper CISSP. You may succeed there, based on the current supply and demand (and to the eventual dismay of your new employer), but I can tell you that if you applied to be on my security team the CISSP may get you past HR and resume eyes-on with us, but no further. I need to see someone living and breathing security or at least the IT lifesetyle (if hiring entry-level). And anybody who gets an actual interview with us will get asked technical questions to figure out where they actually lie in terms of skillset. From the sound of it, we'd tear you up and spit you out in about 5 minutes.

I don't want to be mean here, but paper CISSPs dilute the value of the certification and only end up wasting my time and your time. The experience requirements are there for a reason, and simply having CISSP on your resume doesn't make me take for granted that you're any good at a particular area. My advice is to stick with the help desk to learn everything you can there while studying the mile wide inch deep that is security in general. Networking, web, programming, forensics, risk, etc. You'll need all of that to truly succeed in this area that you're passionate about. There are no shortcuts when it comes to security. Shortcuts are what lead to the stories you read about in the news.

dustervoice

1. Take the CISSP if you want to.
2. Apply for an associate
3. Gain relevant experience
4. Move into security
5. Apply for full CISSP
6. Become rich and enjoy life!
7. Die and be reborn as a security expert

orlandofl

Why did you choose a bachelor degree in Criminal Justice and why do you work in IT? Why do you want to go to WGU for their MSISA degree? Have you considered leveraging the B.A. in CJ by pursuing a Digital Forensics degree, such as the one from University of Maryland University College (UMUC)?

I went with the B.A. in CJ some time ago while I was still in the military. Back then I had plans of getting out and getting into federal law enforcement. My career goals have shifted since my early 20's as I look towards 30 in a couple of months. I had half the degree done five years ago. Last year before committing to finishing the thing I had looked into making the switch to a tech degree but it would have costed me an extra year and thousands of dollars. A social science/liberal arts degree is writing and research intensive which many believe to extremely invaluable and fantastic preparation for graduate school. Even if I in someway could now change to a technical discipline..i don't think I would it. If anything I would have done just a straight liberal arts degree and paired it with a specialized/focused Master's degree. As more and more people go to college the idea of the Master's degree becoming the 'new Bachelors' is more and more relevant with each passing year.

I went with WGU because it's a technical degree from a not for profit institution and cheap. I don't want to sink another 20-30K into a degree. I still have a semester left of GI Bill benefits that will cover the first 6 months. The ideal situation from a financial stand point would be to complete the degree in 18 months and only have to come out of pocket 6K.

Have you considered leveraging the B.A. in CJ by pursuing a Digital Forensics degree, such as the one from University of Maryland University College (UMUC)

I have indeed. The cost of the program was a deterrent, but not the biggest turn off. The lack of digital forensic positions here in the central FL area was down right frightening. I see a few pop-up in the Tampa area every so often, but not enough to where I would feel comfortable doing my degree in forensics and trying to make a living in the field.

orlandofl

A paper CISSP is all well and good, but then you need to find someone to hire you based on that paper CISSP. You may succeed there, based on the current supply and demand (and to the eventual dismay of your new employer), but I can tell you that if you applied to be on my security team the CISSP may get you past HR and resume eyes-on with us, but no further. I need to see someone living and breathing security or at least the IT lifesetyle (if hiring entry-level). And anybody who gets an actual interview with us will get asked technical questions to figure out where they actually lie in terms of skillset. From the sound of it, we'd tear you up and spit you out in about 5 minutes.

I think I would have no problems in a technical interview.....because I'd only be willing to apply to entry level InfoSec jobs. Though I'd be working on my Master's and hopefully have the CISSP, i'm only looking for a start in the field and a foot in the door. I'm not sure if you thought i'd be looking for senior positions?

I don't want to be mean here, but paper CISSPs dilute the value of the certification and only end up wasting my time and your time.

I also don't mean to be a jerk..but if i spend 250 hours learning the material i'm not sure how i would be diluting the certification. I would be an Associate, not a full fledged. you speak of 'learning all you can'.....I'm not sure I know of a better way to accomplish that than to study for and pass the most prestigious InfoSec certification in the industry.

My advice is to stick with the help desk to learn everything you can there

No offense, I really don't think this is good advice at all. I mentioned I work on an ISP help desk supporting customers. After being in a help desk-inbound call environment I see no reason why anyone should spend more than a year in this type of role. The amount of concepts learned is very negligible in my current role. I think it's a foot in the door and should act as a stepping stone to better roles assuming education and certifications have been earned. Whether I decided to earn the CCNA or CISSP I would be grossly over qualified for a help desk role with either of the two and pursuing a graduate degree in that sort of role just adds insult to injury. It's never a good idea for someone to sit ideal and not move forward, and that seems to be the advice you're dispensing here. I would encourage anyone on a help desk to spend no more than 12 months in the role, then progress in some way.

*If what you said was I would encourage you to get an entry level networking job, then stay there to learn all you can to get a solid working foundation of security, i would agree. To stay on a help desk over a year with qualifications (to me) is just spinning your wheels and is a very expensive endeavor when you look at the cost of certifications and degrees in conjunction with the average pay of a help desk position. *

Regards,

-Travis

636-555-3226

"because I'd only be willing to apply to entry level InfoSec jobs" - people with CISSPs don't usually apply for entry-level jobs.

"Whether I decided to earn the CCNA or CISSP I would be grossly over qualified" - Certifications (CCNA, CISSP, whatever) don't qualify you for anything. Knowing how to do things qualifies you.

I'm all for people moving forward, and I wish you luck. I'll just reiterate that to be good at security you need to be good at a whole bunch of other things at the same time. For example, you can't install or operate an IPS without knowing a lot about networking, and you can't install or operate two-factor authentication without knowing a lot about Active Directory. This breadth of knowledge comes from working in IT for awhile. Entry-level security positions are different than entry-level IT positions. Entry-level security positions typically assume you know a lot about IT in general and are looking to combine all of that into the security ultimatum.

orlandofl

I'm all for people moving forward, and I wish you luck. I'll just reiterate that to be good at security you need to be good at a whole bunch of other things at the same time. For example, you can't install or operate an IPS without knowing a lot about networking, and you can't install or operate two-factor authentication without knowing a lot about Active Directory. This breadth of knowledge comes from working in IT for awhile. Entry-level security positions are different than entry-level IT positions. Entry-level security positions typically assume you know a lot about IT in general and are looking to combine all of that into the security ultimatum.

Fair enough, thanks for all your insight.

-Travis

stryder144

orlandofl...thanks for the response. Everything makes total sense to me. Quite a few of my friends went the Criminal Justice route due to their military affiliation. As for the cost benefit of WGU over UMUC, makes total sense to me, as well. WGU is definitely a very afford school to attend. Good luck and keep us informed about your journey into IT.

jt2929

Don't forget, even if you do pass the exam, you can't put CISSP on your resume until you have the full endorsement. You'll have to put "Associate of (ISC)2" which probably will do you no good in the HR filters.

Danielm7

orlandofl wrote: »

I also don't mean to be a jerk..but if i spend 250 hours learning the material i'm not sure how i would be diluting the certification. I would be an Associate, not a full fledged. you speak of 'learning all you can'.....I'm not sure I know of a better way to accomplish that than to study for and pass the most prestigious InfoSec certification in the industry.

You'd be diluting the certification because it's meant for people who have 5+ years of experience in security, you have 0, so spending 250 hours over a few months doesn't count for the same thing. Also, it's not "the most prestigious InfoSec certification in the industry" but that's another issue entirely.

As other posters pointed out, entry level IT and entry level security are completely different things. You should have a background in systems, networks, etc, to even make sense of what you'll need to in the security field. If I'm hiring a Jr security person, and I will be soon, if they came in with just helpdesk, no server or network experience and an "associate of isc2" it really wouldn't go very far. If that same person came in, without the cert but told me how passionate they were, bang on a home lab all the time learning X and Y tools and they follow all the security news, they would get worlds more interest out of me.

NetworkNewb

I don't even like the whole "required experience" on exams. All a certifications means is someone knew just enough to pass a test.

So a complete idiot manager who makes a few decisions on a how to implement security (and does a shitty job) would be able to take this test over a smart/driven person trying to work their way up?

If someone has the experience a company is looking for they should be able to see that on a resume... If the company wants someone with a bunch of technical skills, one, the CISSP should not be a deciding factor on that, and two, they should be able to find out the skills they are looking for in the interview. IMO, people put way too much value on certs in general. I think they are just keys to get passed HR.

As far the OP, if he wants the CISSP, he should study for it and take it. Doesn't sound like he will get endorsed, but he would definitely learn a lot of general security practices a company should use. And WGU will accept it as their prerequisite.

Best of luck!

bubble2005

dustervoice wrote: »

1. Take the CISSP if you want to.
2. Apply for an associate
3. Gain relevant experience
4. Move into security
5. Apply for full CISSP
6. Become rich and enjoy life!
7. Die and be reborn as a security expert

Point 7, lol Funny.

siderealprex

I totally get you. I feel like we are both on the same path. I finished my BS in Criminal Justice. This degree has taught me a lot. Also being in the military.. Why don't you use your GI bill for SANS classes after you get your bachelors? They have a certificate program and also a Masters program. If you hate writing papers like me(I had to in class for criminal behaviors and etc), then do not go for the cybersecurity engineering core and the Masters, but go for either incident handling, pen testing, or cyber defense operation.